Systems and methods for user access authentication based on network access point

ABSTRACT

Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response. The secure data network may comprise an application level secure data network, in which the user uses the user device to request access to a network application. Furthermore, the identity server may validate the combined user identity and network access point identity data in conjunction with time information, access allowance data, and/or traffic volume data.

FIELD OF THE INVENTION

This invention relates generally to data networking, more specifically, to systems and methods of authenticating user access based on an access point to a secure data network.

BACKGROUND OF THE INVENTION

The secure data network of a company is a critical component of day-to-day functioning of company business activities. One of the crucial operations of a secure data network is the proper access control for a user.

Existing methods for access control to a secure data network are based on a user identity, such a user name or an employee number. In one embodiment, the methods are based on a role associated with the user identity. For example, Roger Singleton's user identity “C12756013” associates with a role of a field support engineer. In another example, Verna Simpson's user identity “verna.simpson” associates with a role of a marketing manager. In one more example, Kimberly Nguyen's user identity “DC201319N” associates with a role of a human resources representative.

With the growing complexity of secure data networks, the variety of business activities conducted via the secure data networks, and particularly the diversity of locations for a user to access the secure data networks, access control based on user identity or its associated role is no longer adequate. For example, a user can access the secure data network of a company from within the company, from home via a public data network such as the Internet, or from a vacation resort via a cellular data network, such as a General Packet Radio Service (GPRS) network.

In one scenario, Kimberly uses her desktop computer in her office to access confidential salary information from the company's secure data network. During lunch time, she takes her laptop computer to a patio outside the company building and has lunch with several co-workers. As she continues her work during lunch, her co-workers walking past her accidentally see the salary information. Although the patio is a much less secure environment physically, compared to her office, Kimberly is nonetheless able to access the same sensitive information from the secure data network.

In another scenario, Verna of Company A visits Company B. She uses her laptop computer to access Company A's secure data network via a network of Company B. She accesses a confidential competitive marketing analysis to prepare for a meeting. In this scenario, the confidential information passes through the network of Company B, increasing the risk of leaking important marketing information of Company A to Company B. Likewise, although the network of Company B is a much less secure environment strategically and electronically, as viewed by and in comparison to that of Company A, Verna is nonetheless able to access the same sensitive information from the secure data network.

The above examples represent a security problem for a secure data network of a company, and they indicate the need for providing a solution for differential secure data network access control based on the network access point. Some work-arounds have been created to address related scenarios, but such work-arounds typically address only narrow aspects of the issue. For instance, one such work-around involves the use of wireless text pagers, such as Blackberry™ devices, that receive and send email from the user's company email account. Assuming that Company A provides Verna with a Blackberry™ to receive and send email using her Company A email account, Company A may still not want Verna to receive or send information confidential to Company A via email on her Blackberry™ device.

To help achieve Company A's desired result, Company A may implement a policy instructing its employees to electronically designate their emails as “Normal,” “Confidential,” “Private,” or “Personal,” as is possible using many email applications, such as MS Outlook™. In addition, Company A may configure its Blackberry™ email re-routing software so that emails electronically designated as “Confidential” are not sent (“pushed”) to Verna's Blackberry™ device, while nonetheless pushing all Verna's other emails to her device. Likewise, Verna may be prevented from sending an email from her device that she designates as “Confidential.” Emails designated as “Confidential” will, as usual, be available from Company A's secure data network, irrespective of where Verna may log-on with her laptop. However, such a work-around is only as good as the implementation of the underlying policy, placing significant reliance on the cooperation of Company A employees to properly designate emails, not to mention Company A's inability to police emails from business partners that may send mutually confidential information to Verna without electronically designating it as “Confidential.”

SUMMARY

Systems and methods of authenticating user access based on an access point to a secure data network are described herein. A secure data network includes a network access point. The network access point serves as an entry point for a user to access the secure data network using a user device. The network access point may connect directly or indirectly to an identity server. The user is associated with a user identity. The association between the user and the user identity may be for a fixed or indefinite period of time. Any user controlling the user device is deemed to be associated with the user identity used to gain such control. The network access point associates with a network access point identity. The user uses a user device to send an access request to the network access point, requesting access to the secure data network. The access request may include the user identity, in which case the network access point obtains the user identity from the access request. Alternatively, the network access point obtains the user identity from other means. The network access point sends the identity server an authentication request. The authentication request includes the user identity. The identity server obtains the user identity from the authentication request. The authentication request may include the network access point identity, in which case the identity server obtains the network access point identity from the authentication request. Alternatively, the identity server may obtain the network access point identity from other means.

The identity server processes the authentication request by validating the combination of the user identity and the network access point identity. The identity server may include a datastore that includes information for a plurality of user identities and a plurality of network access point identities. The identity server may attempt to match the combination of user identity and network access point identity with information in the datastore, which may correspond to a plurality of valid pairs of user identity and network access point identity entries. In such a situation, the identity server may attempt to match the user identity and the network access point identity with one of the plurality of valid pairs of user identity and network access point identity. Based on the outcome of the matching attempt, the identity server responds with an authentication response to the authentication request. Furthermore, based on the authentication response, the secure network may grant access, or deny access, as communicated to the user device via an access response.

The identity server may determine that there is a match between a valid pair in datastore and the combination of user identity and network access point identity. Thus, the identity server determines that the combination of user identity and network access point identity is valid, in which case, the identity server responds positively to the authentication request, and the user device is granted access to the secure data network via the network access point.

Examples of the secure data network may include an Internet Protocol (IP) network; a Local Area Network (LAN); a Wide Area Network (WAN); a wireless network, such as a WiFi network or a General Packet Radio Service (GPRS) network; a public IP network such as the Internet; a private IP network such as a home network or a company network.

Examples of the user device may include a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smart-phone, or a device that includes a computing unit connectable to a network.

Examples of the user identity may include: a user name; an identity of user device, such as a Media Access Control (MAC) address, an Internet Protocol (IP) address and port number, a device serial number, or subscriber information in a subscriber identity module (SIM) card or Universal Subscriber Identity Module (USIM) card; a telephone number; security information such as a password, a security code or a secret answer to a security question; and/or biometric characteristics, such as fingerprints, fingerprints, eye retinas, eyes irises, voice or signature.

Examples of the network access point may include: a firewall, a wireless access point, a Dynamic Host Configuration Protocol (DHCP) server, a Remote Access Server (RAS), a Broadband Remote Access Server (BRAS), a web server, a secure web server, or a virtual private network (VPN) server; and/or a termination point of an access tunnel, such as a virtual private network (VPN) tunnel, a Generic Routing Encapsulation (GRE) tunnel, or a Layer-2 Tunnel Protocol (L2TP) tunnel.

Examples of the network access point identity may include: a network access point name; an IP address or a port number; security information such as a password or a security code; a device name or a machine identity such as a serial number; and/or other access information. In the event that the user device connects to network access point via an access tunnel, such as a VPN tunnel, an L2TP tunnel, or a GRE tunnel, the network access point identity may include an identity of the access tunnel termination point. In the event that the user device connects to network access point via a General Packet Radio Service (GPRS) network, the network access point identity may include an Access Point Name (APN).

The present invention likewise may apply where the secure data network comprises an application level secure data network. The user uses the user device to request access, via an access request, to an application level secure data network for a network application. When the network access point receives the access request, the network access point may determine that access to a specific network application is requested. The network access point then may send an authentication request to the identity server. After receiving the authentication request, the identity server processes the authentication request and responds with an authentication response, the consequences of which are communicated to the user device via an access response.

Examples of the network application may be, depending on the context: an enterprise application, an employee benefit application, a human resources salary administration application, or an inventory information application; a library system, a conference workshop application, a live concert webcast or a hotel television over IP application; and/or a web application.

To portray possible scenarios, for a single user using a single user device seeking access to a single desired network application, in which access may be granted and others in which it may not, the application level secure data network may include a first network access point and a second network access point. The first network access point is associated with a first network access point identity; the second network access point is associated with second network access point identity.

In one scenario, the user employs the user device to send a first application access request to the first network access point, requesting access to an application level secure data network for a desired network application. The first network access point sends the identity server a first authentication request. The identity server processes the first authentication request by validating the combination of the user identity and the first network access point identity. After processing the first authentication request, the identity server sends a first authentication response to the network, which communicates a first access response to the user device. If the identity server determines that the combined user identity and first network access point identity is valid, the user is granted access to access application level secure data network for the desired network application via use of user device at the first network access point.

In a different scenario, the user employs the user device to send a second application access request to the second network access point, requesting access to the application level secure data network for the desired network application, as above. The second network access point sends the identity server a second authentication request. The identity server processes the second authentication request by validating the combined user identity and second network access point identity. After processing the second authentication request, the identity server sends a second authentication response to the network, which communicates a second access response to the user device. If the identity server determines that the combined user identity and second network access point identity pair is not valid, then user is not granted access to access application level secure data network for the desired network application via use of the user device at second network access point.

Examples of the possible pairs of first and second network access points, vis-à-vis exemplary applications, include: (1) an office area of the company and an outdoor patio area of the company, wherein the user may use the user device to access an enterprise application from the office area, but not from the outdoor patio area; (2) a company intranet and an external data network, such as the Internet, wherein the user may use the user device to access a human resources salary administration application from inside the company intranet, but not via the Internet at a downtown café that provides hotspot Internet access.

Variations on the basic concept of are also within the scope of the present invention. For instance, the identity server may validate the combined user identity and network access point identity in conjunction with time information, access allowance data, and/or traffic volume data.

BRIEF DESCRIPTION OF DRAWINGS

In the following figures, like references correspond to like components. For the purposes of illustrating the various aspects of the invention, there are shown in the drawings simplified forms, it being understood, however, that the invention is not limited to the precise arrangements shown, but rather only by the claims.

FIG. 1 illustrates a block diagram of exemplary interactions across a secure data network 170.

FIG. 2 illustrates a block diagram of the flow of data during an exemplary process 240 for identity server 290 to process an authentication request 259.

FIG. 2A illustrates a block diagram of the steps 241-248 of the exemplary process 240 for identity server 290 to process an authentication request 259.

FIG. 3 illustrates a block diagram of the flow of data during a further embodiment of a process for identity server 390 to determine network access point identity 355 from communication information.

FIG. 4 illustrates a block diagram of exemplary interactions across an application level secure data network 470.

FIG. 5 illustrates a block diagram of exemplary interactions across an application level secure data network 570 with a first network access point 550 and a second network access point 560.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, specific numbers, materials and configurations are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to a person of ordinary skill in the art, that these specific details are merely exemplary embodiments of the invention. In some instances, well known features may be omitted or simplified so as not to obscure the present invention. Furthermore, reference in the specification to “one embodiment” or “an embodiment” is not meant to limit the scope of the invention, but instead merely provides an example of a particular feature, structure or characteristic of the invention described in connection with the embodiment. Insofar as various embodiments are described herein, the appearances of the phase “in an embodiment” in various places in the specification are not meant to refer to a single or same embodiment.

FIG. 1 illustrates a block diagram of exemplary interactions across a secure data network 170. A secure data network 170 includes a network access point 150. Network access point 150 serves as an entry point for a user 110 to access secure data network 170 using a user device 120. Network access point 150 connects to an identity server 190.

In one embodiment, secure data network 170 is an Internet Protocol (IP) network. In one embodiment, secure data network 170 includes a Local Area Network (LAN). In one embodiment, secure data network 170 includes a Wide Area Network (WAN). In one embodiment, secure data network 170 includes a wireless network, such as a WiFi network or a General Packet Radio Service (GPRS) network. In one embodiment, secure data network 170 includes a public IP network such as the Internet. In one embodiment secure data network includes a private IP network such as a home network or a company network.

In one embodiment, user device 120 is a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smartphone, or a device that includes a computing unit connectable to a network. A user 110 may control the user device 120 directly, as in personal configuration or physical operation, or indirectly, as in the vicarious use through remotely configured or operated systems.

User 110 is associated with user identity 115. For purposes of this invention, it is irrelevant whether user 110 is the intended user of user identity 115; i.e., even if user 110 is borrowing the user identity 115 of another user, user 110 is nonetheless associated with user identity 115 during such use. In one embodiment, user identity 115 includes a user name. In one embodiment, user identity 115 includes an identity of user device 120, such as a Media Access Control (MAC) address, an Internet Protocol (IP) address and port number, a device serial number, or subscriber information in a subscriber identity module (SIM) card or Universal Subscriber Identity Module (USIM) card. In one embodiment, user identity 115 includes a telephone number. In one embodiment, user identity 115 includes security information such as a password, a security code or a secret answer to a security question. In one embodiment, user identity 115 includes biometric characteristics, such as fingerprints, fingerprints, eye retinas, eyes irises, voice or signature.

In one embodiment, a network access point includes a firewall, a wireless access point, a Dynamic Host Configuration Protocol (DHCP) server, a Remote Access Server (RAS), a Broadband Remote Access Server (BRAS), a web server, a secure web server, or a virtual private network (VPN) server. In on embodiment, network access point 150 includes a termination point of an access tunnel, such as a virtual private network (VPN) tunnel, a Generic Routing Encapsulation (GRE) tunnel, or a Layer-2 Tunnel Protocol (L2TP) tunnel.

Network access point 150 associates with network access point identity 155. In one embodiment, network access point identity 155 includes a network access point name. In one embodiment, network access point identity 155 includes an IP address or a port number. In one embodiment, network access point identity 155 includes security information such as a password or a security code. In one embodiment, network access point identity 155 includes a device name or a machine identity such as a serial number. In one embodiment, network access point identity 155 includes other access information. In one embodiment, user device 120 connects to network access point 150 via an access tunnel, such as a VPN tunnel, an L2TP tunnel, or a GRE tunnel, in which case network access point identity 155 includes an identity of the access tunnel termination point. In one embodiment, user device 120 connects to network access point 150 via a General Packet Radio Service (GPRS) network, in which case network access point identity 155 includes an Access Point Name (APN).

User 110 uses user device 120 to send an access request 129 to network access point 150, requesting access to secure data network 170. In one embodiment, access request 129 includes user identity 115, in which case network access point 150 obtains user identity 115 from access request 129. In another embodiment, network access point 150 obtains user identity 115 from other means. In one embodiment, access request 129 is an IP packet, user identity 115 includes an IP address, and the network access point 150 extracts the IP address from the source address field in the IP header of access request 129.

Network access point 150 sends identity server 190 an authentication request 159. Network access point 150 may generate the authentication request 159 using an authentication request engine, not shown, within network access point 150. Authentication request 159 includes user identity 115. Identity server 190 obtains user identity 115 from authentication request 159. In one embodiment, authentication request 159 includes network access point identity 155, and identity server 190 obtains network access point identity 155 from authentication request 159. In another embodiment, identity server 190 obtains network access point identity 155 from other means. In one embodiment, authentication request 159 is an IP packet and network access point identity 155 includes an IP address, in which case identity server 190 extracts the IP address from the source address field in the IP header of authentication request 159.

Identity server 190 processes authentication request 159 by validating the combined user identity 115 and network access point identity 155. In one embodiment, identity server 190 determines that the combined user identity 115 and network access point identity 155 is valid, in which case user 110 can use user device 120 to access secure data network 170.

FIG. 2 illustrates a block diagram of the flow of data during an exemplary process 240 for identity server 290 to process an authentication request 259. The exemplary process 240 appears in FIG. 2A, which illustrates a block diagram of the steps 241-248 of the exemplary process 240.

In preparation of an authentication request 259, the user identity 215 and network access point identity 255 are collected, as in steps 241A and 241B. In step 242, the authentication request 259 is sent from the network access point 150, and identity server 290 receives an authentication request 259 in step 243. In step 244, identity server 290 obtains user identity 215 from authentication request 259.

In one embodiment, identity server 290 obtains network access point identity 255 from authentication request 259. In one embodiment, authentication request 259 is an Access-Request packet based on Remote Authentication Dial In User Service (RADIUS) authentication protocol described in IETF RFC 2865 “Remote Authentication Dial In User Service (RADIUS)”. In this case, identity server 290 extracts, or parses, user identity 215 from the RADIUS Access-Request packet. For example, user identity 215 may include a user name, in which case identity server 290 extracts the user name from User-Name attribute in the RADIUS Access-Request packet. Likewise, user identity 215 may include a password, which identity server 290 would extract from the RADIUS Access-Request packet in the User-Password attribute. In another embodiment, identity server 290 might extract the password from CHAP-Password attribute in the RADIUS Access-Request packet. In a further embodiment, user identity 215 may include a telephone number, leading identity server 290 to extract the telephone number from Calling-Station-Id in the RADIUS Access-Request packet. In other embodiments, user identity 215 may include other information, such as subscriber information or biometric characteristics, in which cases identity server 290 extracts the other information from Vendor-Specific attribute in the RADIUS Access-Request packet.

In step 245, identity server 290 parses the network access point identity 255 data, such as by extracting the network access point identity 255 from the RADIUS Access-Request packet. In one embodiment, network access point identity 255 includes an IP address, and identity server 290 may extract the IP address from NAS-IP-Address attribute in the RADIUS Access-Request packet. In another embodiment, network access point identity 255 may include a physical port number, wherein identity server 290 extracts the physical port number from NAS-Port attribute in the RADIUS Access-Request packet. In another embodiment, network access point identity 255 may include a physical port type, and identity server 290 may extract the physical port type from NAS-Port-Type attribute in the RADIUS Access-Request packet. In other embodiments, network access point identity 255 may include other information, such as an identity of a terminating point of an L2TP tunnel, a GRE tunnel, or a VPN tunnel, in which cases identity server 290 may extract the other information from Vendor-Specific attribute in the RADIUS Access-Request packet.

In step 246, identity server 290 processes authentication request 259 by validating the combined user identity 215 and network access point identity 255. In one embodiment, identity server 290 includes a datastore 295 that includes information for a plurality of user identities 215 and a plurality of network access point identities 255. Identity server 290 may attempt to match the combination of user identity 215 and network access point identity 255 with information in datastore 295, using a validation matching engine, not shown, associated with identity server 290.

In one embodiment, datastore 295 includes a plurality of valid pairs 265A of user identity 215A and network access point identity 255A entries. In such a situation, identity server 290 may attempt to match user identity 215 and network access point identity 255 with one of the plurality of user identity 215A and network access point identity 255A of the valid pairs 265A. Based on the outcome of the matching attempt, identity server 290 responds in step 247 with an authentication response 169 to the authentication request 259. The authentication response 169 may be generated using an authentication response engine, not shown, associated with identity server 290. Furthermore, based on the authentication response 169, the secure network 170 may grant access, as in step 248A, or deny access, as in step 248B, as communicated to the user device via an access response 179. The access response 179 may be generated using an access response engine, not shown, associated with network access point 150.

While the identity server 290 may perform all its steps in a single server, the identity server 290 may comprise, in fact, more than one server, wherein the sequential steps associated with identity server 290 may be performed by separate servers. For instance, the processing step may queue the authentication requests 259 and prepare them for the validation matching engine. This processing step may occur outside a firewall of the secure data network 170, whereas the validation matching engine and the datastore 295 may be on a separate server inside the firewall of the secure data network 170. Once the attempt to match is complete, the validation matching engine may communicate to the authentication response engine, which may be back outside the firewall, that a match or no match exists, for creation of the authentication response 169.

In one embodiment, identity server 290 determines that there is a match between a valid pair 265A in datastore 295 and the combination of user identity 215 and network access point identity 255. Thus, identity server 290 determines that the combination of user identity 215 and network access point identity 255 is valid. In one embodiment, identity server 290 responds positively to authentication request 259, such as in step 248A. In one embodiment, identity server 290 responds positively, via authentication response 169, by sending a RADIUS Access-Accept packet, indicating that the attributes in the RADIUS Access-Request packet are acceptable.

In a different embodiment, authentication request 259 is based on a different authentication protocol, such as DIAMETER described in IETF RFC 3588 “Diameter Base Protocol.” In such a situation, identity server 290 may extract user identity 215 and network access point identity 255 according to the different authentication protocol. In yet another embodiment, authentication request 259 may be based on a proprietary Application Programming Interface (API). Identity server 290 likewise would extract user identity 215 and network access point identity 255 according to the API.

FIG. 3 illustrates a block diagram of the flow of data during a further embodiment of a process for identity server 390 to determine network access point identity 355 from communication information. Network access point 350 is associated with network access point identity 355. Network access point 350 communicates with identity server 390 and sends authentication request 359 to identity server 390. Identity server 390 receives authentication request 359.

In one embodiment, network access point 350 may communicate to identity server 390 over an IP network, in which case authentication request 359 may be an IP packet. Network access point identity 355 likewise may include an IP address. Identity server 390 may then extract the IP address from the source address field in the IP header of authentication request 359.

In an additional embodiment, authentication request 359 is a User Datagram Protocol (UDP) packet, in which case network access point identity 355 may include a port number, and the identity server 390 may extract the port number from the source port field in the UDP header of authentication request 359.

In another embodiment, authentication request 359 may be a Transport Control Protocol (TCP) packet, in which case network access point identity 355 may include a port number, and identity server 390 may extract the port number from the source port field in the TCP header of authentication request 359.

In a further embodiment, authentication request 359 may be a VPN tunnel mode packet, in which case network access point identity 355 may include an IP address of the VPN tunnel, in which case identity server 390 may extract the VPN tunnel IP address from the source address field in the outer IP header of authentication request 359. An example of a tunnel mode header is described in section 5.1.2 “Header Construction for Tunnel Mode” in IETF RFC 4301 “Security Architecture for the Internet Protocol”.

FIG. 4 illustrates a block diagram of exemplary interactions across an application level secure data network 470. Application level secure data network 470 is a variation of secure data network 170. User 410 uses user device 420 to request access, via an access request 429, to an application level secure data network 470 for a network application. In accordance with various embodiments of the present invention, the network application may be, for example, an enterprise application, an employee benefit application, a human resources salary administration application, or an inventory information application. In other embodiments, the network application may be, for instance, a library system, a conference workshop application, a live concert webcast or a hotel television over IP application. In still further embodiments, the network application may be a web application.

In one embodiment, the network application uses TCP protocol for communication. User device 420 may send an application access request 429. Application access request 429 may be a TCP SYN packet. The TCP SYN packet may include a TCP header and an IP header.

When network access point 450 receives the TCP SYN packet, network access point 450 may determine that access to a specific network application is requested. In particular, network access point 450 may extract the port number from the destination port field in the TCP header of the TCP SYN packet, and then network access point 450 may determine that the port number matches the specific network application. Network access point 450 then may send an authentication request 459 to identity server 490.

In one embodiment, network access point 450 may extract the IP address from the source address field in the IP header of the TCP SYN packet, in which case network access point 450 may include the IP address in user identity 415. In another embodiment, network access point 450 may determine the user identity 415 based on the IP address.

Network access point 450 may include user identity 415 in authentication request 459, which the network access point 450 then send to identity server 490. In one embodiment, network access point 450 may include in authentication request 459 the network access point identity 455 that is associated with network access point 450.

In another embodiment, the network application may use Hypertext Transfer Protocol (HTTP) for communication, in which case, when the user device 420 sends an application access request 429, the application access request 429 may be an HTTP packet that, for instance, may include a header. When network access point 450 receives the HTTP packet, network access point 450 may determine based on the header that access to a specific network application is requested. For example, the header may include a URL, and the network application may be determined by a sub-string in the URL. In another embodiment, the header may include an HTML tag that identifies the network application. In a further embodiment, the HTTP packet may be a GET request, and the network application may be determined by a sub-string in the GET request.

In one embodiment, network access point 450 may extract the IP address from the source address field in the IP header of the HTTP packet. Network access point 450 may include the IP address in user identity 415. In another embodiment, network access point 450 may determine user identity 415 based on the IP address. In another embodiment, network access point 450 may extract information from an HTTP header, which, for example, may include user information, and the network access point 450 may extract this user information from the HTTP header. The network access point 450 may include the user information in user identity 415. For instance, network access point 450 may determine user identity 415 based on the user information.

Network access point 450 includes user identity 415 in authentication request 459 and sends authentication request 459 to identity server 490. In one embodiment, network access point 450 includes network access point identity 455 that is associated with network access point 450 in authentication request 459. After receiving the authentication request 459, identity server 490 processes the authentication request 459 and responds with an authentication response 469, the consequences of which are communicated to the user device 420 via an access response 479.

FIG. 5 illustrates a block diagram of exemplary interactions across an application level secure data network 570 with a first network access point 550 and a second network access point 560. Although depicted in the specific context of an application level secure data network 570, the same principles of FIG. 5 apply to a general secure data network 170 having more than one network access point 150.

An application level secure data network 570 includes a first network access point 550 and a second network access point 560. The first network access point 550 is associated with first network access point identity 555; the second network access point 560 is associated with second network access point identity 565. User 510 is associated with user identity 515.

In one embodiment, user 510 employs user device 520 to send a first application access request 529 to the first network access point 550, requesting access to application level secure data network 570 for a network application. The first network access point 550 sends identity server 590 a first authentication request 559. Identity server 590 processes authentication request 559 by validating the combined user identity 515 and first network access point identity 555 as illustrated in FIG. 2A. After processing the first authentication request 559, identity server 590 sends a first authentication response 569 to the network 570, which communicates a first access response 579 to user device 520. If identity server 590 determines that the combined user identity 515 and first network access point identity 555 is valid, user 510 is granted access to access application level secure data network 570 for the network application via use user device 520 at first network access point 550.

Indifferent scenario, user 510 employs user device 520 to send a second application access request 528 to the second network access point 560, requesting access to application level secure data network 570 for the same network application as above. The second network access point 560 sends identity server 590 a second authentication request 558. Identity server 590 processes second authentication request 558 by validating the combined user identity 515 and second network access point identity 565 as illustrated in FIG. 2A. After processing the second authentication request 558, identity server 590 sends a second authentication response 568 to the network 570, which communicates a second access response 578 to user device 520. If identity server 590 determines that the combined user identity 515 and second network access point identity 565 is not valid, then user 510 is not granted access to access application level secure data network 570 for the same network application via use user device 520 at second network access point 560.

Given the interconnecting nature of a secure data network 170 and an application level secure data network 470/570, it is possible that the authentication request 558 may not travel directly to the identity server 590. It may pass through various network components, such as hubs, switching stations, base stations, hosting servers, etc., before reaching the identity server 590. Authentication request 558 may pass also through first network access point 550 on its way to identity server 590. However, even if authentication request 558 passes through first network access point 550, it is clear that the authentication request 558 should reflect that the user 510 is attempting to access the secure data network 570 via second network access point 560. Thus, the reality of the attempted access is preserved, and user device 515 is not granted access due to passing through first network access point 550 if access would be denied based on sending the access request 528 to second network access point 560.

As with other network communications, the authentication request 559 may keep a log of its communication path, tracking the identities of network nodes in reaching its destination. The communication path of the authentication request, and that of the possible access if granted, likewise may be the subject of scrutiny for potential security weaknesses, and the identity server 590 may deny access if the path itself contains a weak link in the chain of communication. The identity server 590 may treat the network node identities tracked in the communication log of the authentication request 559 as network access point identities 555/565. In such a case, the identity server 590 may be configured to determine that access should be granted only where all network access point identities 555/565 along the communication path combine as valid pairs 265A with the user identity 515.

According to one exemplary embodiment of the present invention, application level secure data network 570 is a company data network. The first network access point 550 serves as an entry point for accessing application level secure data network 570 from an office area of the company. The second network access point 560 serves as an entry point for accessing application level secure data network 570 from an outdoor patio area of the company. The application level secure data network 570 may be configured so that user 510 can use user device 520 to access application level secure data network 570 for an enterprise application from the office area, but cannot access application level secure data network 570 for the same enterprise application from the outdoor patio area.

According to an additional embodiment, the first network access point 550 serves as an entry point for accessing application level secure data network 570 via a company intranet. The second network access point 560 serves as an entry point for accessing application level secure data network 570 via an external data network, such as the Internet. The application level secure data network 570 may be configured so that user 510 can use user device 520 to access application level secure data network 570 for a human resources salary administration application from inside the company intranet, but cannot access application level secure data network 570 for the same human resources salary administration application at a downtown café that provides hotspot Internet access.

In some cases, the network application may use a different protocol for communication, in which cases the network access point 550 may need to obtain user identity 515 based on this different protocol. For instance, the different protocol may be User Datagram Protocol (UDP), File Transfer Protocol (FTP), Session Initiation Protocol (SIP), or Real-Time Streaming Protocol (RTSP). In other instances, the network application may use an Extensible Markup Language (XML) document for communication, in which case the network access point 550 may obtain user identity 515 based on the Document Type Definition (DTD) for the XML document. Moreover, the network application may use a Web service interface, and the network access point 550 may rely on the Web service interface to obtain user identity 515.

Variations on the basic concept of are also within the scope of the present invention. For instance, identity server 590 may validate the combined user identity 515 and first network access point identity 555 in conjunction with time information. In one embodiment, the validity of the combined user identity 515 and first network access point identity 555 may depend on the time of day when identity server 590 conducts the validation. In another embodiment, identity server 590 validates the combined user identity 515 and first network access point identity 555 in conjunction with access allowance. Access allowance may be measured in various ways, such time duration, download volume, network traffic volume, etc., or combinations thereof. For example, the validity of the combined user identity 515 and first network access point identity 555 may depend on the access allowance, as measured in access time duration in light of access traffic volume associated with the user identity 515 and the first network access point identity 555, such as limits of 2 hours or 2 gigabytes of data transfer, which occurs sooner.

In yet further embodiments, the application level secure data network 570 may be deployed in a high school campus, a college campus, a hospital, a warehouse, a hotel, an airport, a stadium, an amphitheatre, or a cruise ship, to provide for differential network access control based on the point of access. Moreover, the application level secure data networks 570 may be deployed for differential charging based the access point to the application level secure data network.

Although the invention herein has been described with reference to particular embodiments, it is to be understood that these embodiments are merely illustrative of the principles and applications of the present invention. It is therefore to be understood that numerous modifications may be made to the illustrative embodiments and that other arrangements may be devised without departing from the spirit and scope of the present invention as defined by the appended claims. 

We claim:
 1. A method of user access authentication, the method comprising: receiving an authentication request; determining whether to grant a user device access to a secure data network via a plurality of network access points, the plurality of network access points including a first network access point and a second network access point; and, responding to the authentication request with an authentication response indicating whether the user device is granted access to the secure data network via the plurality of network access points; wherein: the authentication request travels along a communication path including the first network access point and the second network access point; and whether to grant the user device access is determined based on at least three data points, the at least three data points comprising a user identity provided by the user device, a first network access point identity associated with the first network access point, and a second network access point identity associated with the second network access point; wherein the combination of the user identity, the first network access point identity and the second network access point identity results in at least one of: (i) not granting the user device access to the secure data network; and (ii) granting the user device access to the secure data network, wherein the secure data network includes at least one of an Internet Protocol (IP) network; a Local Area Network (LAN); a Wide Area Network (WAN); a wireless network; a WiFi network; a General Packet Radio Service (GPRS) network; a public IP network; and a private IP network; wherein the user device includes at least one of a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smart-phone, and a device having a computing unit connectable to a network; wherein the user identity includes at least one of a user name; an identity of user device; a Media Access Control (MAC) address; an Internet Protocol (IP) address and port number; a device serial number; subscriber information in a subscriber identity module (SIM) card; subscriber information in a Universal Subscriber Identity Module (USIM) card; a telephone number; security information; a password; a security code; a secret answer to a security question; biometric characteristics; fingerprint data, eye retinal data, eye iris data voice pattern recognition data and signature recognition data; wherein the first network access point and/or the second network access point includes at least one of a firewall; a wireless access point a Dynamic Host Configuration Protocol (DHCP) server; a Remote Access Server (RAS); a Broadband Remote Access Server (BRAS); a web server; a secure web server; a virtual private network (VPN) server; a termination point of an access tunnel; a termination point of a virtual private network (VPN) tunnel; a termination point of a Generic Routing Encapsulation (GRE) tunnel; and a termination point of a Layer-2 Tunnel Protocol (L2TP) tunnel; and wherein the first network access point identity and/or the second network access point identity includes at least one of a network access point name; an IP address; a port number; security information; a password; a security code; a device name; a machine identity; a serial number; an identity of an access tunnel termination point and an Access Point Name (APN).
 2. The method of claim 1 further comprising: receiving at the first network access point an access request from the user device; generating the authentication request in response to receiving the access request; sending the authentication request from the first network access point to an identity server for processing; processing the authentication request to determine whether to grant the user device access to the secure data network via the first and the second network access points; and sending the authentication response from the identity server to the first network access point.
 3. The method of claim 2 further comprising: sending an access response from the first network access point to the user device.
 4. The method of claim 2: wherein the access request includes the user identity; and wherein the first network access point obtains the user identity from the access request.
 5. The method of claim 2 wherein: the first network access point obtains the user identity from a source other than the access request.
 6. The method of claim 1: wherein the authentication request includes the user identity; and wherein the determining is done by an identity server obtaining the user identity from the authentication request.
 7. The method of claim 1: wherein the authentication request includes the first and second network access point identities; and wherein the determining is done by an identity server obtaining the first and second network access point identities from the authentication request.
 8. The method of claim 1 wherein: the determining is done by an identity server obtaining the first and second network access point identities from a source other than the authentication request.
 9. The method of claim 1 wherein: the determining is done by an identity server including a datastore having information corresponding to a plurality of valid combinations of user identity and network access point identity entries.
 10. The method of claim 9 wherein: processing the authentication request includes attempting to match the user identity and the first and second network access point identities with one of the plurality of valid combinations of user identity and network access point identity entries.
 11. The method of claim 10 wherein: the authentication response indicates that the user device is granted access to the secure data network via the first and second network access points if the identity server matches the user identity and the first and second network access point identities with one of the plurality of valid combinations of user identity and network access point identity entries.
 12. The method of claim 1 wherein: the secure data network includes an application level secure data network.
 13. The method of claim 12 wherein: the access request seeks access to a network application, and the access request includes a Transport Control Protocol (TCP) access request.
 14. The method of claim 13 further comprising: determining that access to the network application is sought, wherein the first network access point determines that access to the network application is sought.
 15. The method of claim 13 wherein: the network application includes an enterprise application; an employee benefit application; a human resources application; an inventory information application; a library system; a conference workshop application; a live concert webcast; a hotel television over IP application; or a web application.
 16. The method of claim 1: wherein the user identity combined with the first network access point identity results in a determination to grant the user device access to the network application; and wherein the user identity combined with the second network access point identity results in a determination not to grant the user device access to the network application.
 17. The method of claim 16: wherein the authentication request logs the first network access point identity; wherein the authentication request logs the second network access point identity; and wherein the user identity combined with the first network access point identity and the second network access point identity results in a determination not to grant the user device access to the network application.
 18. The method of claim 1 wherein: the at least three data points further comprise at least one additional data point.
 19. The method of claim 18 wherein: the at least one additional data point includes at least one of a time data point, an access allowance data point, and a traffic volume data point.
 20. The method of claim 1, wherein: the authentication request logs the first network access point identity and the second network access point identity; the user identity combined with the first network access point identity results in a determination to grant the user device access to the network application; the user identity combined with the second network access point identity results in a determination to grant the user device access to the network application; and the user identity combined with the first network access point identity and the second network access point identity results in a determination to grant the user device access to the network application.
 21. The method of claim 1, wherein the authentication request maintains a log of the communication path and tracks identities of network nodes, including the first and second access points, encountered while traversing the communication path to reach a destination.
 22. A system of user access authentication, the system comprising: a secure data network having a plurality of network access points; a first network access point selected from the plurality of network access points; an identity server in communication with the secure data network via the first network access point, wherein: the identity server processes an authentication request, sent by the first network access point, based on an access request that travels along a communication path including the first network access point and a second network access point and is received by the first network access point from a user device controlled by a user; the identity server determines whether to grant the user device access to the secure data network via the first network access point and the second network access point based on at least three data points, the at least three data points comprising a user identity associated with the user, a first network access point identity associated with the first network access point, and a second network access point identity associated with the second network access point; wherein the combination of the user identity, the first network access point identity and the second network access point identity results in at least one of: (i) not granting the user device access to the secure data network; and (ii) granting the user device access to the secure data network; and, the identity server responds to the authentication request with an authentication response sent to the first network access point indicating whether the user device is granted access to the secure data network via the first network access point and the second network access point wherein the secure data network includes at least one of an Internet Protocol (IP) network; a Local Area Network (LAN); a Wide Area Network (WAN); a wireless network; a WiFi network; a General Packet Radio Service (GPRS) network; a public IP network; and a private IP network; wherein the user device includes at least one of a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smart-phone, and a device having a computing unit connectable to a network; wherein the user identity includes at least one of a user name; an identity of user device; a Media Access Control (MAC) address; an Internet Protocol (IP) address and port number; a device serial number; subscriber information in a subscriber identity module (SIM) card; subscriber information in a Universal Subscriber Identity Module (USIM) card; a telephone number; security information; a password; a security code; a secret answer to a security question; biometric characteristics; fingerprint data, eye retinal data, eye iris data voice pattern recognition data; and signature recognition data; wherein the first network access point and/or the second network access point includes at least one of a firewall; a wireless access point; a Dynamic Host Configuration Protocol (DHCP) server; a Remote Access Server (RAS); a Broadband Remote Access Server (BRAS); a web server; a secure web server; a virtual private network (VPN) server; a termination point of an access tunnel; a termination point of a virtual private network (VPN) tunnel; a termination point of a Generic Routing Encapsulation (GRE) tunnel; and a termination point of a Layer-2 Tunnel Protocol (L2TP) tunnel; and wherein the first network access point identity and/or the second network access point identity includes at least one of a network access point name; an IP address; a port number; security information; a password; a security code; a device name; a machine identity; a serial number; an identity of an access tunnel termination point; and an Access Point Name (APN).
 23. The system of claim 22, further comprising: an authentication request engine at the first network access point, the authentication request engine capable of generating the authentication request based on the access request received by the first network access point; and an access response engine at the first network access point, the access response engine capable of generating the access response based on the authentication response received by the first network access point.
 24. The system of claim 22, wherein: the identity server includes a datastore and a validation matching engine; and wherein the datastore includes information corresponding to a plurality of valid combinations of user identity and network access point identity entries; wherein the validation matching engine attempts to match the user identity and the first and second network access point identities with one of the plurality of valid combinations of user identity and network access point identity entries; and, wherein the authentication request indicates that the user device is granted access to the secure data network via the first network access point and the second network access point if the identity server matches the user identity and the first and second network access point identities with one of the plurality of valid combinations of user identity and network access point identity entries.
 25. The system of claim 22 wherein: the secure data network includes an application level secure data network.
 26. The system of claim 25 wherein: the access request seeks access to a network application, and the access request includes a Transport Control Protocol (TCP) access request.
 27. The system of claim 26 wherein: the first network access point determines that access to the network application is sought.
 28. The system of claim 27 wherein: the network application includes an enterprise application; an employee benefit application; a human resources application; an inventory information application; a library system; a conference workshop application; a live concert webcast; a hotel television over IP application; or a web application.
 29. The system of claim 22: wherein the user identity combined with the first network access point identity results in a determination to grant the user device access to the network application; and wherein the user identity combined with the second network access point identity results in a determination not to grant the user device access to the network application.
 30. The system of claim 29: wherein the authentication request logs the first network access point identity; wherein the authentication request logs the second network access point identity; and wherein the user identity combined with the first network access point identity and the second network access point identity results in a determination not to grant the user device access to the network application.
 31. The system of claim 22 wherein: the at least three data points further comprise at least one additional data point.
 32. The system of claim 22, wherein: the authentication request logs the first network access point identity and the second network access point identity; the user identity combined with the first network access point identity results in a determination to grant the user device access to the network application; the user identity combined with the second network access point identity results in a determination to grant the user device access to the network application; and the user identity combined with the first network access point identity and the second network access point identity results in a determination to grant the user device access to the network application.
 33. A method of user access authentication, the method comprising: receiving an authentication request; determining whether to grant a user device access to a secure data network via a plurality of network access points, the plurality of network access points including a first network access point and a second network access point; and, responding to the authentication request with an authentication response indicating whether the user device is granted access to the secure data network via the plurality of network access points; wherein: the authentication request travels along a communication path including the first network access point and the second network access point; and whether to grant the user device access is determined based on at least three data points, the at least three data points comprising a user identity provided by the user device, a first network access point identity associated with the first network access point, and a second network access point identity associated with the second network access point; wherein the combination of the user identity, the first network access point identity and the second network access point identity results in at least one of: (i) not granting the user device access to the secure data network; and (ii) granting the user device access to the secure data network, wherein the authentication request maintains a log of the communication path and tracks identities of network nodes, including the first and second access points, encountered while traversing the communication path to reach a destination. 